Hysteria 2 vs VLESS Reality

TL;DR

Hysteria 2 is faster on unstable networks and mobile internet. VLESS Reality is stealthier and works where UDP is blocked. Both live in the same Lunaire subscription, and the client's auto-switch picks the right one on the fly.

Transport layer

The main difference is transport. Hysteria 2 runs strictly over UDP (QUIC stack). VLESS Reality runs over TCP/443. That affects everything: firewall availability, handshake speed, loss behavior.

UDP is a datagram protocol with no delivery guarantees. QUIC layers its own reliable-delivery logic on top of UDP, doing it more efficiently than classic TCP: 0-RTT handshake, stream multiplexing without head-of-line blocking, and more flexible congestion control.

TCP guarantees ordered delivery at the OS level. Reality uses the standard Linux/macOS/Windows TCP stack plus a TLS 1.3 handshake disguised as a connection to an external domain. Handshake is slower than QUIC (3 RTT vs 1 RTT) but more compatible with arbitrary networks.

Congestion control

Hysteria 2 uses Brutal, its own congestion-control algorithm. Brutal takes an explicit target bandwidth from the user (e.g., "50 Mbps") and tries to hold it, ignoring packet loss as a congestion signal. Rising RTT is the only trigger to slow down. That delivers 2-3× the throughput on lossy networks.

VLESS Reality runs over plain TCP, so it uses TCP BBR / Cubic depending on the server kernel. Lunaire nodes run BBR v3, which holds speed well on stable networks but degrades at 5%+ packet loss. On mobile internet the gap with Hysteria can reach 3-5×.

Stealth

Reality wins by a wide margin. A Reality TLS handshake is indistinguishable from a handshake with a real domain: the server serves the external site's certificate (Microsoft, Apple, Cloudflare), SNI matches, TLS version and ciphersuite are standard. Even advanced TLS-fingerprint systems (JA3/JA4) see regular HTTPS traffic.

Hysteria 2 is also stealthy, but less absolutely so. It looks like QUIC, uses a real TLS 1.3 handshake, but QUIC as a category attracts more attention from classifiers than regular HTTPS. On networks with active QUIC filtering (some corporate firewalls), Hysteria can be blocked while Reality passes.

Handshake speed

QUIC supports 0-RTT resumption — reconnecting to the same server happens with zero RTT, data flies alongside the handshake. This gives Hysteria 2 very fast reconnection (useful on mobile networks where connections break and recover frequently).

TCP Reality needs at least 3 RTT to first byte of data: TCP SYN → TLS ClientHello → TLS ServerHello → TLS Finished → data. On a Moscow-Amsterdam route (RTT ~40 ms) that's ~120 ms to first byte. Hysteria 2 on the same route — ~40-80 ms.

When to pick which

Hysteria 2: mobile internet, public Wi-Fi, long international routes, streaming, downloads, VoIP calls.

VLESS Reality: corporate networks banning UDP, networks with DPI classifiers, operation in places with aggressive QUIC filtering, maximum stealth.

Both together: Lunaire's approach. The subscription carries both protocols plus xHTTP and WebSocket. The client keeps Hysteria as primary and switches to Reality when the first degrades. Users get the best of both worlds without manual tuning.

Takeaway

Pitting Hysteria 2 against VLESS Reality is a false dilemma. They target different problems, not each other. The right architectural choice is to run them in parallel and auto-switch. That's exactly how Lunaire's stack is built — four protocols in one subscription, auto-switch decides which is active right now.